Mandatory data breach notification laws to come into force
Parliament has recently taken steps to address issues relating to cybercrimes by passing the
Privacy Amendment (Notifiable Data Breaches) Bill 2016 on 13 February, 2017. The legislation is due to commence within 12 months of Royal Assent, with no assent or fixed date as yet.
However, once enacted the legislation will amend the Privacy Act 1998 to require entities experiencing ‘eligible’ data breaches to notify affected and ‘at risk’ individuals and the Office of the Australian Information Commissioner (OAIC) of these breaches.
The new laws will apply to entities which carry on business in Australia or are subjected to the Privacy Act 1998, including businesses and not-for-profit organisations with an annual turnover of $3 million or more, credit providers, credit reporting bodies and entities that hold the tax file number information of one or more individuals.
An ‘eligible’ data breach is:
- Unauthorised access to, or unauthorised disclosure of, personal information held by an entity and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates; OR
- Information is lost in circumstances where:
a. Unauthorised access to, or unauthorised disclosure, is likely to occur; and
b. Assuming such access or disclosure were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom that information relates.
Whether access or disclosure would likely result in serious harm depends on a number of factors, including the nature and sensitivity of the information, whether there were any security measures in place and the likelihood those measures could be overcome, the characteristics of the person obtaining the information and the nature of the harm suffered by the individual.
If an entity suspects that an ‘eligible’ data breach has occurred, the following steps should be taken:
1. Within 30 days of the suspicion arising, assess the relevant circumstances and whether it reasonably amounts to an ‘eligible’ data breach;
2. If there are reasonable grounds to believe an ‘eligible’ data breach has occurred then subject to a number of exceptions, an entity should prepare a statement setting out the contact details of the entity, a description of the breach, the kind of information concerned and the steps it recommends affected individuals take in response. A copy of this statement should be provided to the OAIC;
3. If practicable, take steps as are reasonable in the circumstances to notify affected and ‘at risk’ individuals of the contents of the statement. If direct notification is not practicable, the entity should publish the statement on its website and take reasonable steps to publicise the contents of the statement.
The OAIC may also give written notice to an entity directing it to prepare the statement if it is aware there are reasonable grounds to believe that there has been an ‘eligible’ data breach.
The failure to comply with the new laws will effectively be regarded as a breach of the Privacy Act 1998 and can result in an entity being required to take remedial action, give
enforceable undertakings and pay compensation and/or fines of up to $360,000.00 for individuals and $1.8 million for corporations.
Businesses should now review their internal processes, resources and systems to ensure they can adequately respond to any potential data breaches in future. As part of this review process, we suggest contacting your broker to ensure you have adequate insurances in place for any potential cyber and privacy breaches.